Description
The Secure Copy Content Protection and Content Locking WordPress plugin before 5.1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Published: 2026-06-12
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Secure Copy Content Protection and Content Locking WordPress plugin, versions prior to 5.1.5, fails to sanitise and escape the ays_sccp_sub_icon_image configuration setting. This oversight allows an attacker with administrative privileges to store malicious JavaScript directly in the plugin’s settings. When a page that displays the stored value is loaded, the script executes in the context of the admin user, enabling arbitrary code execution, data theft, site defacement, or session hijacking.

Affected Systems

WordPress sites running the Secure Copy Content Protection and Content Locking plugin older than version 5.1.5. No other vendors or products are affected according to the data provided.

Risk and Exploitability

The vulnerability is a stored XSS that requires authenticated access with administrative rights, so the attack vector is an authenticated request to the plugin’s configuration interface. The CVSS score of 3.5 and an EPSS score of less than 1% indicate low overall severity, yet the privileged scope means a malicious payload would run with high‑privilege user privileges. The issue is not listed in the CISA KEV catalog, and no public exploit code is known, but an attacker who can gain or already possesses admin rights can directly employ the flaw.

Generated by OpenCVE AI on June 12, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Secure Copy Content Protection and Content Locking plugin to version 5.1.5 or newer.
  • If an upgrade is not immediately possible, disable or delete the ays_sccp_sub_icon_image setting to prevent unsanitised data from being stored.
  • Configure a site‑wide content sanitisation policy that strips dangerous scripts from stored configuration data.

Generated by OpenCVE AI on June 12, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Copy Content Protection Team
Copy Content Protection Team secure Copy Content Protection And Content Locking
Wordpress
Wordpress wordpress
Vendors & Products Copy Content Protection Team
Copy Content Protection Team secure Copy Content Protection And Content Locking
Wordpress
Wordpress wordpress

Fri, 12 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Fri, 12 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Fri, 12 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Secure Copy Content Protection and Content Locking WordPress plugin before 5.1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Title Secure Copy Content Protection and Content Locking < 5.1.5 - Admin+ Stored XSS via ays_sccp_sub_icon_image Parameter
References

Subscriptions

Copy Content Protection Team Secure Copy Content Protection And Content Locking
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-12T14:00:15.476Z

Reserved: 2026-05-22T10:06:50.984Z

Link: CVE-2026-9269

cve-icon Vulnrichment

Updated: 2026-06-12T13:59:23.772Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T07:16:21.237

Modified: 2026-06-12T15:57:31.627

Link: CVE-2026-9269

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:00:17Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')